MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GuLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c
SHA3-384 hash: b18efa99476950a3fb59ab5235a4d2ac21066fd3d35bde0714faa28ce272d9a8b6e7eb4dda742ba6912fb4db5fc91692
SHA1 hash: 5bc7c8eb7d338f11377acbaa085b1e80e74bfa2e
MD5 hash: f4bb13f9b180a07d52c93a0ae5b15ce0
humanhash: pluto-muppet-wyoming-dakota
File name:SecuriteInfo.com.Gen.Variant.Nemesis.10217.17747.5879
Download: download sample
Signature GuLoader
Create hunting rule
File size:309'824 bytes
First seen:2022-08-29 13:43:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep 6144:MB+pgUMOgRP2/w0PmArCT8/TYmGda4jRlCL:MgngRO/wymECIrYmr4o
TLSH T1C1644BF2E79849A2CC6A133989776E361677FDAD2D71874F124C70346FB3382216A607
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0c0e8ccccece0f0 (1 x GuLoader)
Reporter SecuriteInfoCom
Tags:exe GuLoader signed

Code Signing Certificate

Organisation:Hvervets Alcamine Erastianism
Issuer:Hvervets Alcamine Erastianism
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-10T04:54:43Z
Valid to:2025-05-09T04:54:43Z
Serial number: -0419a1bc0998d314
Thumbprint Algorithm:SHA256
Thumbprint: cfdc0f97c05ead35dc928d252bb50ab877aecfb2bb91b46e681e5b78db6f4d0b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
334
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.10217.17747.5879
Verdict:
Malicious activity
Analysis date:
2022-08-29 13:44:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55a3b6d1-ae1d-4ae6-9430-b1133c7b0f88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/302255/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.10217.17747.5879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Delayed reading of the file
Creating a file
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/30751/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/630cc368e87b88e71be301f4/reports/70d77737-5262-4303-a167-e54b73611f10/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/031a7165-ee3f-404e-ba2b-a813ea449127
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1059892
Signature
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to detect Any.run
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 692409 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 29/08/2022 Architecture: WINDOWS Score: 68 38 globalshservices.site 2->38 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected GuLoader 2->44 8 SecuriteInfo.com.Gen.Variant.Nemesis.10217.17747.5879.exe 5 32 2->8         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 46 Obfuscated command line found 8->46 48 Mass process execution to delay analysis 8->48 12 SecuriteInfo.com.Gen.Variant.Nemesis.10217.17747.5879.exe 8->12         started        16 cmd.exe 8->16         started        18 cmd.exe 8->18         started        20 62 other processes 8->20 signatures6 process7 dnsIp8 40 globalshservices.site 66.147.238.174, 443, 49770 HOSTROCKETUS United States 12->40 50 Tries to detect Any.run 12->50 22 Conhost.exe 16->22         started        24 Conhost.exe 18->24         started        26 Conhost.exe 20->26         started        28 Conhost.exe 20->28         started        30 Conhost.exe 20->30         started        32 59 other processes 20->32 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2022-08-29 13:44:12 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4a64ihxzgnk36k6gg7xow7rmfhwnlvd5hyd36w7l3repk4owkoa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/220829-q1s33sbcd5/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/0f4ebad0-0f61-46cd-b210-6085c683ada8/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/0f4ebad0-0f61-46cd-b210-6085c683ada8/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/0f4ebad0-0f61-46cd-b210-6085c683ada8/
SH256 hash:
7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c
MD5 hash:
f4bb13f9b180a07d52c93a0ae5b15ce0
SHA1 hash:
5bc7c8eb7d338f11377acbaa085b1e80e74bfa2e
Link:
https://www.unpac.me/results/0f4ebad0-0f61-46cd-b210-6085c683ada8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.02
Link:
https://yomi.yoroi.company/submissions/7701ee20f7c99aadf95e31bf775bf1614f66aea3e9f03dfadf5ee247ab8eb29c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/302255/

Comments